IETF Logo Mail Archive

Re: [TLS] In-handshake CertificateRequest and 0-RTT

Martin Thomson <martin.thomson@gmail.com> Thu, 12 May 2016 07:42 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C44D412D0A7 for <tls@ietfa.amsl.com>; Thu, 12 May 2016 00:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSGR1sHplsBj for <tls@ietfa.amsl.com>; Thu, 12 May 2016 00:42:39 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 485E712B015 for <tls@ietf.org>; Thu, 12 May 2016 00:42:39 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id i75so79529599ioa.3 for <tls@ietf.org>; Thu, 12 May 2016 00:42:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=87yKSnRwvZ1uMYBPRZxFoMndzLn3HxCL1rmu6wu/hh4=; b=euCsBKh+etehY3klcS3gqIJt+2EHiZuxy5/i5/nNEmtThO2grke9rxDbaeVwBmbZ/2 XEdZ+fbA6WVI/QSv7KMojRbikVqovq1xUJB2iikF16GwW09BoXk/Uzj2fsiuIII6AlpS 9s1kBo8r928WKkVGX4juu30p5tLpb4o3wFnhmNrnYXnrtCU3nTLHiYGCMZIAxAGoi2kj l1gBsN3zH+GMNnnx7X1x1qlwPRmvvaM/ag1UFz8Md7ucw4HoafFa9y7nIyAe/DfKfEkE RJ0UyY5hrutGuxdCjbRzdaq1TP2ufQl5dlC1ocZGR9eLqv/4taYkU1xLHOsAovSlO85c oqqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=87yKSnRwvZ1uMYBPRZxFoMndzLn3HxCL1rmu6wu/hh4=; b=Iw+gJp7F+5myMQG6Pfc9GWePJUKxVvkaxD8dAJABB0MkI54NC9j8Lx39va0f9G+9em uYorLdVQ9u1oZtyZk/jJ7B7A0RzxaC90rtCDhbncDcmGyqLDjdl/aVHMq11vPILEzogm 72L9ufv/nvZH+nnYPMh0NL3ZlOd5gjlWT2uryOqimIbVTKdGb9YT9tAoalShZ6MCyGUh 5dT7YvS8WbTipmRgXTSBQP36NnspKN/xOhVCYjCwe+fERb2AohClcitefTsr51NhfauC PiSsEXYRu9Ke0MRCI+N8WPaxuLAoIuhkn5IrQz1q58JqmhLJIqARfg8ctL2eKRjb9qng 1dvQ==
X-Gm-Message-State: AOPr4FXs/NX6YYZ243lO6iBO+1MbwNA2kX637dglH9iCYrn07UPFiXoEmPXTBm73oZ35e1XFIheh1ynB44YGlA==
MIME-Version: 1.0
X-Received: by 10.36.139.71 with SMTP id g68mr3586529ite.68.1463038958526; Thu, 12 May 2016 00:42:38 -0700 (PDT)
Received: by 10.36.43.82 with HTTP; Thu, 12 May 2016 00:42:38 -0700 (PDT)
In-Reply-To: <CAF8qwaAScbEPVLSJCaRvkE44DTAzqXpYOKodsveCkzc6479=tw@mail.gmail.com>
References: <CAF8qwaD870fuNuVnhnbKBEk3Vc4G7_AfR+mOAtvLwDYNtNgcwA@mail.gmail.com> <CABkgnnXUZaO001_-taHJ2QaLDWiJNofrbw33DKj-aScymQRaVg@mail.gmail.com> <CAF8qwaAScbEPVLSJCaRvkE44DTAzqXpYOKodsveCkzc6479=tw@mail.gmail.com>
Date: Thu, 12 May 2016 17:42:38 +1000
Message-ID: <CABkgnnU9w9Y_iL4yySd4FaS06r5JXiaPO2mfX=rQSfyOua-zJg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fdjrngNxY9uqFRifsLNq2Qa3tK4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] In-handshake CertificateRequest and 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 07:42:42 -0000

On 12 May 2016 at 12:41, David Benjamin <davidben@chromium.org> wrote:
> Sure, if we end up doing something on the server, mirroring sounds
> reasonable enough. (This would just be for re-asserting the private key and
> not switching certificates, right?)

Not planning to allow it :)

>[re: post handshake as an extension]
> For HTTP, doing it in an extension the obvious way doesn't quite work.
> Whether Chrome is willing to do renego depends on how ALPN resolves (we
> leave it at its default off state and, after the initial handshake but
> before we could consume a HelloRequest, toggle it off).

Yeah, it's not ideal, but you could advertise support, then refuse to
respond when it is requested of you in situations that you don't like.
But Chrome is, as ever, somewhat special in this regard.  Everyone
else would be sort of protected from accidents unless they took the
same rather extraordinary steps to enable the feature.

v2.23.0 | Report a Bug | By Email